OPENVPN INSTALLATION IN MY BOOK LIVE
Compared with other topics that I had discussed, the documentation that I found related to installation of OPENVPN is limited. I can find 3 links that talked about installing and configuring OPENVPN in MBL:
- Wikidot: Openvpn - Hacking WD MyBook World Ed
- WD community: HOWTO: MBL as OpenVPN server
- Optware: http://highlevelbits.fr/index.php?option=com_content&view=article&id=626:openvpn-mybook-live&Itemid=82&lang=fr
Yet none of the links really talk about the setup required on the router side.
I am basically following the information in the first link (wikidot) for the illustration purpose.
The installation and configuration of OPENVPN in not easy already. Install it in MBL is complex, because I cannot enable the TUN module required for MBL. Just if anyone can successfull get OPENVPN running, the configuration should be standard. OPENVPN is also build-in under a number of routers nowadays, or as add-in feature with routers running dd-wrt or openwrt. The documentations for OPENVPN under these areas are precise. In fact, I recommend to use a router as OPENVPN server instead unless you really wanted to explore the MBL capabilities.
OPENVPN can be used for:
- remote access on the MBL without exposing the MBL to the internet world (by turn-off remote access in MBL UI). One can connect from internet using OPENVPN, then, act as a intranet device to access MBL
- access other devices in the home network without exposing them to the internet world
- add an additional layer of encryption while surfing the internet
- surf the internet as if the OPENVPN client is coming out from the home router
0. Pre-requisite:
0.1 The firmware version of my MBL is 02.43.10-048, which should be the updated version as of now.
0.2 Know the ip-address range for the [home network], e.g., 192.168.0.0 (for devices in the range of 192.168.0.1 to 192.168.0.255)
0.3 Determine the ip-address range for the [vpn network], e.g., 10.1.1.0 (for devices in the range of 10.1.1.0 to 10.1.1.255)
0.4 [DDNS name] the static internet address in which the internet world can reach the home router. I use the DDNS service from http://freeddns.noip.com/ but any free DDNS provider used in the home router would do.
0.5 [MBL IP] the static IP address of MBL in the network
1. Installation of OPENVPN in MBL
1.1 Installation of TUN module in MBL
I cannot enable the TUN module, which is a pre-requisite of OPENVPN. Finally I have to compile the ML kernel to get this work. This is the reason why I stated the installation is complex.
Just if anybody can make openvpn work already, then this step can be skipped.
I shall talk about the kernel installation with TUN module in the next topic.
1.2 Installation of OPENVPN and certificates
Run the following commands to download the softwares:
/opt/bin/ipkg update
/opt/bin/ipkg install openvpn
/opt/bin/ipkg install lzo
ldconfig
Download the custom S20openvpn startup script , openvpn.cnf and easy-rsa tools:
wget http://mybookworld.wikidot.com/local--files/openvpn/S20openvpn.whitelight -O /opt/etc/init.d/S20openvpn
wget http://mybookworld.wikidot.com/local--files/openvpn/openvpn.conf -O /opt/etc/openvpn/openvpn.conf
wget http://mybookworld.wikidot.com/local--files/openvpn/easy-rsa.tar -O /opt/etc/openvpn/easy-rsa.tar
chmod a+x /opt/etc/init.d/S20openvpn
cd /opt/etc/openvpn/
tar -xf /opt/etc/openvpn/easy-rsa.tar
cd /opt/etc/openvpn/easy-rsa
2. Configuration of OPENVPN
There is no userid/password pair in OPENVPN. The software relies on certificate pairs for authentication.
2.1 Generate the server certificate
Commands to generate the server certificates (there are two ‘.’ in the command line):
. ./vars
Then:
cd /opt/etc/openvpn/easy-rsa
. ./clean-all
cd /opt/etc/openvpn/easy-rsa
. ./build-ca
cd /opt/etc/openvpn/easy-rsa
. ./build-key-server OpenVPNserver
Some questions would be asked. Type “ENTER” except for the following one:
Common Name (eg, your name or your server's hostname) []: [DDNS name in 0.4]
When you are asked for a challenge phrase, type “ENTER”.
When you are requested to sign a certificate, type y :
Sign the certificate? [y/n]: y
Finally the following command to generate the server certificate:
. ./build-dh
The process can take 10-20 minutes. There may see 20 lines of +++++.
when it is finished, copy the newly generated certificates to the correct folders:
cp /opt/etc/openvpn/easy-rsa/keys/ca.crt /opt/etc/openvpn/ca.crt
cp /opt/etc/openvpn/easy-rsa/keys/OpenVPNserver.crt /opt/etc/openvpn/OpenVPNserver.crt
cp /opt/etc/openvpn/easy-rsa/keys/OpenVPNserver.key /opt/etc/openvpn/OpenVPNserver.key
cp /opt/etc/openvpn/easy-rsa/keys/dh1024.pem /opt/etc/openvpn/dh1024.pem
2.2 Generate the client certificates
Launch the following command :
. ./build-key OVClient1
you will be asked some questions: type “ENTER” except for the following one:
Common Name (eg, your name or your server's hostname) []:
Type : OVClient1
When you are asked for a challenge phrase, type “ENTER”.
When you are requested to sign a certificate, type y :
Sign the certificate? [y/n]: y
The following Client configuration files in directory /opt/etc/openvpn/easy-rsa/keys need to be copied over to the client:
OVClient1.crt
OVClient1.key
ca.crt
dh1024.pem
The OVClient2. OVClient3 etc. can be built in the same way.
2.3 OPENVPN configuration
Edit the configuration file in /opt/etc/openvpn/openvpn.conf. (I use FileZiller to download the file to PC and edit the file.)
The following statements need to be changed:
push "route [home network] 255.255.255.0"
server [vpn network] 255.255.255.0
ifconfig-pool-persist /var/log/ipp.txt 1800
status /var/log/ovpn-status.log
log /var/log/openvpn.log
Then, edit the S20openvpn script in /opt/etc/init.d:
insmod /lib/modules/2.6.32.11-svn70860/kernel/drivers/net/tun.ko
(The above is directory name for the MBL original kernel. The directory name might change after compilation.)
We also need to let ip_forwarding in MBL, edit the file /etc/sysctl.conf and remove the # in front of the line:
net.ipv4.ip_forward=1
Now we can start openvpn:
/opt/etc/init.d/S20openvpn
To verify if the openvpn job is really running:
netstat -nlp | grep openvpn
If everything is OK, setup a cron job and run openvpn at startup. A sample crontab entries is:
@reboot sleep 60 && modprobe tun && /opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn.conf
2.4 Router configuration
There are 2 ip subnets now: [home network] and [vpn network]. The 2 ip subnets would not talk automatically. In customized OPENVPN installation, quite a number of iptables rules are required to get the 2 subnets communicate. MBL original kernel does not support iptables but it is still possible to get these 2 subnets communicating seemlessly. (The rules are automatically inserted for routers with buildin OPENVPN and save the hassle.)
Port forwarding: set tcp port 1194 to go to MBL
Forwarding IP highlighted in red is the [MBL IP]
(optional: port 443/80 is used by WD remote access. It was disabled so that MBL would not exposed to internet. The uPNP feature in the router is also disabled to provide little bit more protection. http://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/)
Routing table: if there are any requests to access the [vpn network] from [home network], route thru [MBL IP]:
The gateway (in red) is the [MBL IP]
The target (in green) is the [vpn network]
(Information only: The ip forwarding in S20openvpn script would route the data from [vpn network] back to [home network] and no setup is required on this point.)
2.5 Client setup
I am using Windows as example but the procedure can be ported to Android platform easily.
Download and install the openvpn client for windows from http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.11-I001-x86_64.exe
Create a directory MBL clientkey under C:\Program Files\OpenVPN\config
Copy the 4 files created in step 2.2 to the newly created Windows directory
Download the sample client OVPN file: http://mybookworld.wikidot.com/local--files/openvpn/OVClient.ovpn
Edit the file and change the following lines:
remote [DDNS name] 1194
cert OVClient1.crt
key OVClient.key
Important: add the statement at the end of file:
redirect-gateway def1
The redirect statement ensure all traffics are route thru the VPN network.
Save the file and copy as OVClient1.ovpn in directory C:\Program Files\OpenVPN\config
Run the Windows openvpn client, rightclick on the openvpn icon, select OVClient1 and connect.
3. Verification
We need to ensure the ip is really being changed. The internet ip address can be checked using websites like www.ipchicken.com.
- record the internet ip address before connecting to openvpn
- connect via openvpn
- record the internet ip address again by going into www.ipchicken.com, the ip address should be the one from the home router now
- disconnect the openvpn connection
- record the internet ip address, it should be changed again
If the IP address are changed, the communication between the openvpn client and MBL should be encrypted by the certificates generated in steps 2.1 and 2.2.
In addition, from the openvpn client, we should be able to:
- access the MBL directories
- (with Android device) using WD cloud to access MBL (even with remote access turn off)
- access other devices in the home network (e.g.printer/scanner/router/PCs)
Finally we are done.
I found that this is much longer than I expected to write on this topic but I really wants the procedure to be repeatable, at least, in this version of the fimware.
